localskills.sh acts as a SAML Service Provider (SP). It supports any SAML 2.0–compliant identity provider, including Okta, Azure AD, Google Workspace, and OneLogin.

Configuring SSO requires the team owner role. Users who authenticate via SSO are provisioned through Better Auth organizations.

Provide the following values to your identity provider. Replace {providerId} with the provider ID from the SSO settings page.

SP Metadata URL

https://localskills.sh/api/auth/sso/saml2/sp/metadata?providerId={providerId}

ACS URL

https://localskills.sh/api/auth/sso/saml2/sp/acs/{providerId}

SAML callback handler

https://localskills.sh/api/auth/sso/saml2/callback/{providerId}

Configure a Better Auth SSO provider from your team's SSO & Provisioning settings page.

Set a stable provider ID, the IdP issuer URL, and one or more email domains.

Paste the SAML configuration JSON required by Better Auth, including IdP metadata or entry point, certificate, service provider metadata, and attribute mapping.

Whitelist one or more email domains for SSO (e.g. example.com). Only users with matching email domains can sign in via SAML.

Multiple domains are supported. Domain uniqueness is enforced across all teams — a domain can only be claimed by one team at a time.

Users start SSO by entering an email address whose domain matches a configured provider. localskills.sh then redirects through Better Auth's SSO provider ID flow.

Provisioned users are added to the team with Better Auth organization role behavior.